System and methods for a vernam stream cipher, a keyed one-way hash and a non-cyclic pseudo-random number generator

ABSTRACT

The invention discloses a cryptographic system and consisting of three methods: a cryptographic Vernam stream cipher that permits software programs on separate computers to encrypt and decrypt information; a cryptographic keyed one-way hash that ensures the integrity and authenticity of a message; a non-cyclic pseudo-random number generator that permits a software program inside a computer to create large amounts of pseudo-random bits at high data rates.

FIELD OF THE INVENTION

This invention relates to cryptographic algorithms in general and inparticular to the generation of non-cyclic pseudo-random numbersequences, for the encryption and decryption of data, and for the keyedone-way hash of a message.

BACKGROUND OF THE INVENTION

Cryptographic ciphers, keyed one-way hashes and pseudo-random numbergenerators are well known for providing the underpinnings of securitysystems and secure communication channels. The availability of goodcommercial quality ciphers and one-way hashes has helped enablecommercial data traffic over the insecure Internet. One of the goals ofcryptographic ciphers is to encrypt and decrypt efficiently thecommunication channels between computers, routers and firewalls in sucha manner as to scale smoothly from the very high bandwidth fiber opticchannels to the slow telephone connections carrying Internet data packettraffic without significantly burdening a host computer's or router'sprocessor. Unfortunately, the computer processing overhead typicallyneeded by standard ciphers in a secure computer network protocol tendsto be relatively large compared to what is required to support thenon-cryptographic processing portion of that protocol over acommunications channel. Moreover, one-way hashes, keyed or not, can addsignificantly to the processing burden when used in a secure computernetwork protocol.

In a general form, existing ciphers have been optimized using classiccomputer programming techniques. However, even the best techniques oftenonly yield nominal performance gains. Ciphers are usually extremelydifficult to optimize, via techniques like loop unrolling, because bytheir very nature they are designed to prevent brute force attackmethods that attempt to simplify the cryptographic processing. Evenmodern ciphers designed with modern microprocessor architectures in mindcannot always take advantage of larger registers, multiplemicroinstruction pipelines or on-chip caches. This is more problematicwith one-way hashes which by design typically compress data bitsrandomly throughout a data block. One way hashes are difficult tooptimize properly on modern microprocessors.

In the class of stream ciphers, Vernam ciphers stand out in theirability to very efficiently encrypt and decrypt without modifying thedata payload sizes of computer network protocol packets. The cipher'scomputational overhead is minimal making it an extremely desirablecandidate to encipher computer network communications. Both the USA andRussia use a variant known as a one-time pad system to encipherdiplomatic and spy communications. This is theoretically and in practiceunbreakable. However it is impractical to implement it in a large-scalesecurity system due to the stupendous amounts of key material that needsto be distributed and managed.

In the early 1990's some stream ciphers were developed that used aninternal PRNG seeded with a random key to generate a Vernam key stream.Notable examples are RC4 and SEAL. These ciphers are typically abouthalf a magnitude faster than a comparable block cipher such as DES orAES. Their main limitation is that they cannot randomly access andoperate on any part of a data stream. This limits their ability tosupport datagram protocols like IPv4, where data packets may arrive outof order. Since their key setup costs are high, this also limits theirutility in supporting a datagram protocol which may need to rekeyfrequently, often per packet.

Most security systems that utilize a Vernam stream cipher typically havea very good quality source of large amounts of random bits over a givenperiod of time, to be used for keying materials. The hardware basedrandom number generators typically cannot supply sufficient random bitsfor this system.

In most security network protocols, packets have their integrity andauthenticity ensured during transit over an insecure network channel. Amethod used is a keyed one-way hash, or message authentication code(MAC). HMAC, using either the MD5 or the SHA-1 hash, has been theutilized for recent Internet security protocols. The difficulty withusing either hash is that for a legacy protocol like IPv4 there is notenough room for all the bits of the hash in the packet header.Furthermore, these hashes were designed to protect large files ofindeterminate size. Often their design and implementation is not suitedfor protocols that typically require very fast operation over packetswith a known maximum size, such as 64 kilobytes for IPv4 packets.

SUMMARY OF THE INVENTION

A system and methods are disclosed which allow a Vernam stream cipher tobe successfully used in a security system, in particular one thatsupports a secure computer network protocol. Supporting the cipher aremethods for a non-cyclic pseudo-random number generator (PRNG) and akeyed one-way hash, or message authentication code (MAC) mechanism.

The invention provides methods for generating a stream of random bitsfrom a PRNG. They generate these bits in such a manner as to not haveany predictable random number sequence cycle and to have them allultimately come from a true hardware random number generator (RNG). Ineffect these PRNGs act as performance amplifiers for a much slowerhardware RNG, providing vast amounts of random bits for use in a Vernamcipher based cryptosystem. By randomly shuffling the private staticsource of random bits this provides a high level of system wide entropy.

Further, the invention provides a system and method for enciphering ordeciphering bytes of data. The first layer of protection is to create afinal pad from a private and secret derived source of random bits toencipher or decipher a data stream using simple XOR and rotationoperations. The second layer of protection is to periodically deliverrandom cryptographic keys and values from a secured server to the localcomputer that control the random reshuffling of the private and secretlocal source of random bits, creating the derived source of random bits.The final layer of protection is to every so often replace the privateand secret local source of random bits with a fresh set of random bitsfrom a secured server. The secured server contains the previouslydescribed PRNG, which generates all the random bits needed to deliverkeys and new secret random bits to the local computer. A large diskstorage media, such as a CD ROM, could be substituted for the securedserver to allow off line operation.

The invention provides a system and method for maintaining the integrityand providing authentication for a message. This method of a keyedone-way hash uses a tree construction that cascades the results of a setof compression functions into another smaller set until an intermediatevalue is formed. Each compression function utilizes a set of randomvectors used to randomly rotate message bits to prevent a type of 2^(nd)pre-image attack and to make it non-deterministic to foil MAC forgeryattacks. This intermediate value in turn is used to look up a randomvalue, or hash value, from a set of tables, which prevent 1^(st)pre-image and certain 2^(nd) pre-image attacks. A one-time pad in turnencrypts the hash value, thus practically and theoretically eliminatingany known-plain text attacks to determine any internal tables or sourcebits of the random vectors. For added security internal tables, randomsource bits for the vectors and the one-time pad are periodicallyrefreshed from the security server. The secured server contains thepreviously described PRNG that generates all the random bits needed todeliver new look up tables, rotation vectors and one-time pad randombits to the local computer. A large disk storage media, such as a CDROM, could be substituted for the secured server to allow off lineoperation.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts a diagram illustrating one embodiment of the of a senderor a receiver computer according to the invention.

FIG. 2 depicts a diagram illustrating one embodiment of the of a servercomputer according to the invention.

FIG. 3 depicts a diagram illustrating one embodiment of the randompermutation according to the invention.

FIG. 4 depicts a diagram illustrating one embodiment of the randompermutation according to the invention.

FIG. 5 depicts a diagram illustrating one embodiment of re-arranging asequence of numbers randomly according to the invention.

FIG. 6 depicts a diagram illustrating the Key or Seed Data Structureaccording to the invention.

FIG. 7 depicts a diagram illustrating unit sizes according to theinvention.

FIG. 8 depicts a flow diagram illustrating a process of random nestedshuffling according the invention.

FIG. 9 depicts a diagram illustrating a random nested shuffle of anumber sequence according to the invention.

FIG. 10 depicts a diagram illustrating a pseudo-random number generatoraccording to the invention.

FIG. 11 depicts a diagram illustrating a data flow of generating astream of pseudo-random numbers according to the invention.

FIG. 12 depicts a diagram illustrating a data flow of random shuffling arandom source pool according to the invention.

FIG. 13 depicts a diagram illustrating a data flow between a sender, areceiver and server according to the invention.

FIG. 14 depicts a diagram illustrating a data flow between a sender, areceiver and storage disk according to the invention.

FIG. 15 depicts a diagram illustrating encryption according to theinvention.

FIG. 16 depicts a diagram illustrating decryption according to theinvention.

FIG. 17 depicts a flow diagram illustrating a half of the first part ofthe cipher according to the invention.

FIG. 18 depicts a flow diagram illustrating another half of the firstpart of the cipher according to the invention.

FIG. 19 depicts a flow diagram illustrating a substitution tableaccording to the invention.

FIG. 20 depicts a flow diagram illustrating the second and final part ofthe cipher according to the invention.

FIG. 21 depicts a diagram illustrating a data flow of random nestedshuffling a source pad according to the invention.

FIG. 22 depicts a diagram illustrating a data flow of random rotationand random shuffling a preliminary pad to create via extraction a finalenciphering pad according to the invention.

FIG. 23 depicts a diagram illustrating a data flow of a keyed one-wayhash function according to the invention.

FIG. 24 depicts a diagram illustrating a data flow of a compressionfunction according to the invention.

FIG. 25 depicts a diagram illustrating a data flow of compressioncalculation according to the invention.

FIG. 26 depicts a diagram illustrating a process of compressing amessage according to the invention.

FIG. 27 depicts a diagram illustrating a process of compressing amessage according to the invention.

FIG. 28 depicts a diagram illustrating a process of compressing amessage according to the invention.

FIG. 29 depicts a diagram illustrating a data flow of MAC Valuecalculation according to the invention.

FIG. 30 depicts a diagram illustrating a data flow of nested shuffling apre-hash table according to the invention.

FIG. 31 depicts a diagram illustrating a data flow of nested shufflingan encryption pool according to the invention.

FIG. 32 depicts a diagram illustrating a data flow of nested shuffling arotation pool according to the invention.

FIG. 33 depicts a diagram illustrating a data flow of nested shuffling apadding pool according to the invention.

FIG. 34 depicts a diagram illustrating a variety of ways to connectcommunicating computers.

DETAILED DESCRIPTION OF THE INVENTION

Specific reference is made in detail to the embodiments of theinvention, examples of which are illustrated in the accompanyingdrawings and following descriptions. While the invention is described inconjunction with the embodiments, it will be understood that theembodiments are not intended to limit the scope of the invention. Thevarious embodiments are intended to illustrate the invention indifferent applications. Further, specific details are set forth in theembodiments for exemplary purposes and are not intended to limit thescope of the invention. In other instances, well-known methods,procedures, and components have not been described in detail as not tounnecessarily obscure aspects of the invention.

In the following descriptions the following descriptive names will beused; Key, Seed, Vector, Pad, Pool, Strip, Table, Value, Card, Pack,Case, random number generator (RNG), and pseudo random number generator(PRNG). A Seed is populated with random bits from a hardware RNG, andare generated and consumed within a centralized secured server or diskmanufacturing utility. A Key, Pad, Value, Table, and Pool are populatedwith random bits from the PRNG. A Vector can be populated with randombits from either a RNG or a PRNG. A Pool is never used directly butsupplies random bits for other things like Pads, Vectors, and Strips. AStrip is a sequence of bytes taken out of a Pool only once (known in theliterature as a one-time pad). A Vector is a sequence of random numbersor bits used to control an operation on another sequence of randomnumbers. A random factorial permutation of a sequence of bytes ornumbers will be referred to as a Shuffle.

Referring to FIG. 1, a Sender or Receiver Computer (102) contains aprocessor (104), a dynamic random access memory (DRAM) module (110) andone or more network interfaces (116), all interconnected internally byone or more data buses (120). The Network Interfaces (116) are alsoconnected to a data link channel (122) such as Ethernet. Within theprocessor (104) are one or more arithmetic logic units (ALUs, 106) whichcan perform bit wise exclusive OR (XOR) or bit wise rotations ofsupported integers sizes, typically 1, 2, 4 or 8 bytes, and high speedon-chip memory cache (108). The DRAM contains the software of the VernamStream Cipher (112) and Keyed One-Way Hash (114).

Referring to FIG. 2, a Key & Pad Server Computer (202) contains aprocessor (204), a dynamic random access memory (DRAM) module (210), anetwork interface (214) and a hardware random number generator (RNG,216), all interconnected internally by one or more data buses (218). Thenetwork interface (214) is also connected to a data link channel (220)such as Ethernet. Within the processor (204) are one or more arithmeticlogic units (ALUs, 206), which can perform bit wise exclusive OR (XOR)or bit wise rotations of supported integers sizes, typically 1, 2, 4 or8 bytes, and high speed on-chip memory cache (208). The DRAM containsthe software of the PRNG (212).

Referring to FIG. 3, a simple mechanism of generating a random sequenceof N unique numbers from the set of numbers 0 to N−1, where N is a powerof 2, would be to take the output of a hardware RNG (302) and use itsoutput of bits to fill in an array of N values (304). Each value isrepresented by log₂(N) bits. The first log₂(N) bits produced by the RNGwould fill in the first value in the array. The 2^(nd) log₂(N) bitsproduced by the RNG would be used to fill in the 2^(nd) value in thearray if they are different from the 1^(st) value. If not, then thosebits are thrown away and another set of bits are acquired from the RNGand the procedure is repeated until a 2^(nd) value is found that isdifferent from the 1^(st) value. The process is continued for the 3^(rd)through Nth values, where each value from the RNG is compared with allprevious values and used to fill a position in the array only if it isdifferent. In this way all possible numbers from 0 to N−1 are randomlyselected and placed into the array.

Referring to FIG. 4, a near-perfect riffle shuffle mechanism ofgenerating a random sequence of N unique numbers from the set of numbers0 to N−1, where N is a power of 2, would be to take the output of ahardware RNG (402) and use its output of bits to create a Random RepeatNumber (404) and a Random Control Vector (406) of N/2 bits. The RandomRepeat Number, X, is not less than 3/2×log₂(N), for example if N equals256 then X equals 12 or greater. If X is too small, then another numberis retrieved from the RNG until this criteria is satisfied. Taking asequence of numbers from 0 to N−1 (408), we then split it into twohalves (410, 412) and riffle shuffle them together, similar to how apack of cards would be shuffled, with the interleaving of the numbersbeing determined by the Random Control Vector (406). The vectorindicates whether a number in an array slot from the upper half (410)should go before or after its corresponding number in the same arrayslot in the lower half (412). The result is then placed in a new arrayof numbers (414). This new array of numbers (414) then replaces theoriginal array of numbers (408). This whole process (from 406 to 414) isrepeated X times (404), until the original sequence of numbers (408) arethoroughly and randomly shuffled (414).

Referring to FIG. 5, using a random sequence of unique numbers (502), acontrol sequence, which come from a countable sequence of numbersstarting at zero, and treating them as indices to a source array ofrandom numbers (504), the invention indicates the new arrangement of aresult sequence of the random numbers (506). For example, counting from0, if the 0^(th) element in the control sequence is the number 2, thenthis means that the value of the 0^(th) element of the result sequenceis the same as the value of the 2^(nd) element of the source sequence.If the 1^(st) element in the control sequence is the number 5, then thismeans that the value of the 1^(st) element of result sequence is thesame as the value of the 5^(th) element of the source sequence. This isrepeated for all N indices from 0 to N−1. This operation using thecontrol sequence to convert the source sequence to the result sequencewill be known as a random shuffle throughout the rest of this document.

Referring to FIG. 6, the random control sequence of unique numbers willbe referred to as a Key or a Seed (602) throughout the remainder of thisdocument. The difference between the two terms is that a Seed isgenerated directly from a hardware RNG while a Key is generated from aPRNG. Keys and Seeds come in sequences with an amount of numberscountable by powers of 2, 2^(Y) where Y is usually 6, 7, or 8. I.e.sequences of 64, 128 or 256 unique numbers randomly shuffled. The numberof bits per number is Y. For example if Y is 7 then we have a sequenceof 2⁷, or 128, unique numbers (randomly shuffled) with each numberconsisting of only 7 bits, i.e. only from the range of values 0 to 127.Referring to FIG. 7, when large sequences of numbers are randomlyshuffled, they are broken up into certain sizes. The smallest size iscalled a Card (702). This can consist of 2^(U) bytes, where U is 0, 1,2, 3, or 4. I.e. a Card can be 1, 2, 4, 8 or 16 bytes in size. Usually aCard size is chosen for optimal arithmetic operation using commonmicroprocessor architectures. The next larger size is a Pack (704),which consists of 2^(V) Cards, where V is 6, 7, 8 or larger. I.e. a Packcan consist of 64, 128, 256 or more Cards. The next larger size is aCase (706), which consists of 2^(W) Cards, where W is 6, 7, 8 or larger.I.e. a Case can consist of 64, 128, 256 or more Packs. The largest sizeis the large sequence of numbers to be shuffled, usually called a Pad ora Pool (708), which consists of 2^(X) Cases, where X is 6, 7, 8 orlarger. I.e. a Pad or Pool can consist of 64, 128, 256 or more Cases.

A Non-Cyclic Pseudo-Random Number Generator

Because a Vernam stream cipher, described later, requires a tremendousamount of random material (bytes), it is critical to have a highthroughput and high quality Pseudo-Random Number Generator available.Without it, it would be impossible to engineer a security system basedaround a Vernam stream cipher.

Referring to FIG. 8, a nested shuffling process is shown by the flowdiagram. At block 802, the 3 Mixing Seeds are received. The 3 MixingSeeds include Case Seeds, Pack Seeds, and Card Seeds. At block 804, ashuffling function is performed on each Case utilizing a Case Seed foreach Case, this is a Level 1 shuffle (L1). At block 806, each of theshuffled Cases are divided into multiple Packs. At block 808, ashuffling function is performed on each Pack utilizing a Pack Seed foreach Pack, this is a Level 2 shuffle (L2). At block 810, each of theshuffled Packs are divided into multiple Cards. At block 812, ashuffling function is performed on each Card utilizing a Card Seed foreach Card, this is a Level 3 shuffle (L3).

Referring to FIG. 9, a nested shuffling of a sequence of Cards proceedsas follows. A sequence of cards (902) divided into Cases (904), whichare then shuffled according to a Case Key or Seed (916), resulting inrandomly permuted sequence of Cases (906). Then in turn, these shuffledCases (906) are subdivided into Packs (908), each Case being partitionedidentically, which are then shuffled according to a Pack Key or Seed(918) that is applied once per Case to each set of Packs containedtherein, resulting in identically randomly permuted sequence of Packsper Case (910). Then in turn, these shuffled Packs (910) are subdividedinto Cards (912), each Pack being partitioned identically, which arethen shuffled according to a Card Key or Seed (920) that is applied onceper Pack to each set of Cases contained therein, resulting inidentically randomly permuted sequence of Cards per Pack (914).

Referring to FIG. 10, a RNG (1002), is used to periodically to create acouple of Random Source Pools A (1004) and B (1006). Using both RandomSource Pools and input Mixing Seeds from the RNG, a PRNG (1008) emits avery large number of random numbers over a very short period of time.The PRNG is non-cyclic where finite sequences of random numbers have avery low probability of repeating in an unpredictable or random manner,until the next refresh of both Random Source Pools occurs.

Referring to FIG. 11, to initialize a PRNG, the RNG (1102) first fills acouple of Source Pools A (1104) and B (1106) with random numbers. TheSource Pools (1104, 1106) are recommended to be at least 128 megabyteseach, to ensure a very deep source of entropy for the PRNG. However,there is no absolute requirement for the Source Pools (1104, 1106) to bethis large, except to ensure that any Keys, Pads or Pools (1128) thatresult from the PRNG and used within a large security system will havean extremely miniscule probability of being duplicated. The Source PoolA (1104) is nested shuffled (1112) using three Mixing Seeds A (1108),resulting in a Shuffled Source Pool A (1116). The Source Pool B (1106)is nested shuffled (1114) using three Mixing Seeds B (1110), resultingin a Shuffled Source Pool B (1120). These seeds come directly from theRNG (1102). The Shuffled Source Pool A is then used to XOR (1118) withthe Shuffled Source Pool B (1120), byte by byte, resulting in a SourcePool (1122). When a sequence of random numbers is needed from the PRNG aStrip (1124) is copied from the Source Pool (1122). This Strip (1124) isnot reused again. When the Source Pool (1122) is exhausted and a Strip(1124) cannot be retrieved from it, without being a duplicate of anolder Strip, then two sets of 3 new Mixing Seeds (1108, 1110) aregenerated from the RNG (1102) and used to reshuffle the Source Pools(1104, 1106) to then create a new pair of Shuffled Source Pools (1116,1120), which are combined together by XOR operations (1118) into a newSource Pool. The series of Strips taken from the Source Pool (1122)constitutes a PRNG stream of random numbers or bytes (1126) used tocreate Keys, Pads and Pools (1128). An old Strip can never be reused.Periodically the two Source Pools A and B (1104, 1106) are refreshedfrom the RNG (1102) to maintain their secrecy.

Referring to FIG. 12, the operation to nested shuffle a Source Pool A orB utilizes three Mixing Seeds; a Case Seed (1202), a Pack Seed (1204)and a Card Seed (1206), each having 512 unique random numbers. TheSource Pool is partitioned into 512 Cases (1208). The Cases (1208) areall shuffled together randomly (1210), using the Case Seed (1202) todetermine the shuffle pattern, and results in a random sequence of Cases(1212). Each Case is further partitioned into 512 Packs (1214). ThePacks (1214) within each Case are shuffled together randomly (1216),using the Pack Seed (1204) to determine the shuffle pattern, and resultsin a random sequence of Packs (1218), identically shuffled per Case.Each Pack within each Case is further partitioned into 512 Cards (1120)of one byte each. The Cards (1120) within each Pack are shuffledtogether randomly (1222), using the Card Seed (1206) to determine theshuffle pattern, and results in a random sequence of Cards (1224),identically shuffled per Pack. These three levels of shuffling, Level 1(L1), Level 2 (L2) and Level 3 (L3), result in a randomly shuffledSource Pool, which has (2¹¹⁷¹)³ or 2³⁵¹³ random permutations, i.e.entropy of 3315 bits.

A Vernam Stream Cipher

The idea behind this embodiment of the Vernam Stream cipher is that itswork factor strength and its high processor efficiency comes from itsbipartite structure: one part being a set of nested shuffles andsubstitution translations of the Source Pads, the other being anoperation creating a Final Pad with two simple rotations and shuffles.

Note that random materials, be it Pads or Keys, ultimately comes fromthe Server. In one embodiment, the Server is absolutely physicallysecured, with a very high quality, fast PRNG inside it that is fed bitsby a high quality RNG.

The most expensive and time consuming processor operations are beingamortized over time by refreshing the Source Pads periodically at a lowfrequency and then shuffling the Source Pads at a higher frequency usingthe Mixing Keys.

The Substitution Tables are needed when the Source Pads are shared amonga group of computers, e.g. a fully meshed set of optical switches. Forexample, if there are 1024 switches sharing the same Source Pads, theneach switch needs 1023 tables for each communicating channel. If a tableis 256 bytes in size then this is a total of 261888 bytes, orapproximately ¼ megabyte of tables that must be distributed to eachmachine, Even though all the switches know the Source Pads, they cannoteasily discover the Substitution table used by other pairs ofcommunicating switches. Caution needs to be exercised, by ensuring thatthe Source Pads are not made fully public across an entire network.Different Source Pads must be used for different sections of a networkthat need this type of communication, be it an Ethernet segment, awireless LAN segment, server communicating to multiple client computers,or a fully connected set of computers. In this way if a set of SourcePads are discovered by an attacker only that section of the network iscompromised.

The creation and use of the Final Pad on-the-fly from the Working Pads A& B is meant to be extremely processor efficient and stored within theon-chip cache of the processor. The creation of the Final Pad is muchmore frequent than the shuffling of the Source Pads by the Mixing Keys.If possible the Final Pad could even be pre-computed to handle very highbursts of data traffic (matching the highest network transmission speedspossible), for example handling an 8 MB burst before requiring a freshFinal Pad. A series of Final Pads could also be pre-computed to handle along burst of data traffic, for example handling a 64 MB burst with 8pre-computed Final Pads, each one's 8 MB unique with a very highprobability. A Working Pad is paired with two Working Keys. There arenever any random bits shared from one pair of Working Keys to the nextpair of Working Keys.

The whole cipher has a layered design to thwart attacks on the internalsecrets and yet allow it to be extremely efficient during encipherment.A Shuffled Source Pad is designed to allow the generation of a series ofWorking Pads before it needs to be reshuffled. The XORing of the twoWorking Pads together prevents a simple known plaintext attack on the1^(st) Card to discover the Card shuffle pattern of the Working Pad(this assumes the Shuffled Source Pad has been compromised and isknown). Even if the Shuffled Source Pad is compromised, the attackerthen tries to get to the original Source Pad through three layers ofshuffling. Even if the Source Pad itself is compromised at some point,that Source Pad is thrown away and a whole new Source Pad is downloadedfrom the Server. The random rotation of the Working Pads discouragescertain counting and partial key attacks. The cipher is designed suchthat if attacks are possible with keys of 128 unique random numbers,then increase the keys to 256 unique random numbers. Any partial keyattacks are made more difficult through use of the partitioning of theSource Pads and operating on them separately under random guidance untilthe last possible moment before creating the Final Pad.

Through software implementation, the cipher does not require burning innew firmware nor redesigning an ASIC chip set. Another embodiment wouldbe to add more memory chips.

Referring to FIG. 13, the Vernam cipher depends upon access to areliable, moderately fast network for key and pad material distribution.It is designed with a 10 Mbps Ethernet LAN in mind for the back channelcommunications with a central Key and Pad Server (1302), which containsa RNG and a PRNG. The cipher itself will support over 1 Gbps encryptedthroughput (1308) on an ordinary computer's communication interface,typically either 100 Mbps or 1 Gbps Ethernet, between the two computers,a Sender Computer (1304) and a Receiver Computer (1306). Each of thesecomputers shares the identical sets of Working Keys (1316), RotationValues (1318), Substitution Keys (1314), Mixing Keys (1312), and SourcePads (1310), and a copy of the cipher algorithm (1320) either insoftware or hardware. The Source Pads (1310) and Substitution Keys(1316) are periodically refreshed on both computers to maintain themaximum level of security. To extend the life (i.e. keep them secretlonger) of the Source Pads, while they are on both computers, the serverwill send out Mixing Keys (1312) and Substitution Keys (1314) as needed.More frequently, Rotation Values (1318) and Working Keys (1316) are sentout to each machine to regenerate the actual randomly created pad usedto encrypt the clear data or decrypt the cipher data (1308). Note thatfor purposes of this document all communications with the Key & PadServer are considered secure, i.e. cryptographically mutuallyauthenticated and private. This could also be achieved by having aseparate physically secure 10 Mbps LAN dedicated to only distributingKeys, Values and Pads from the Server.

Referring to FIG. 14, another embodiment for stand-alone operationwithout a server uses two identical disks (1404) that are generated froma Disk Manufacturing utility (1402), which contains a RNG and a PRNG.The cipher supports over 1 Gbps encrypted throughput (1410) on anordinary computer's communication interface between the two computers, aSender Computer (1406) and a Receiver Computer (1408). Each of thesecomputers shares the identical sets of Working Keys (1418), RotationValues (1420), Substitution Keys (1416), Mixing Keys (1414), Source Pads(1412), and a copy of the cipher algorithm (1422) either in software orhardware. The Source Pads (1412) and Substitution Keys (1416) areperiodically refreshed on both computers to maintain the maximum levelof security. To extend the life (i.e. keep them secret longer) of theSource Pads, while they are on both computers, they can retrieve MixingKeys (1414) and Substitution Keys (1416) as needed from their respectivedisks (1404). More frequently, Rotation Values and Working Keys areretrieved by each machine to regenerate the actual randomly created padused to encrypt the clear data or decrypt the cipher data (1410). Notethat for purposes of this document all communications with the disks areconsidered secure, e.g. located inside each computer.

Referring to FIG. 15, for encryption the Cipher machinery (1526) takesas input two Working Pads, derived from the four Source Pads (1506,1508, 1510, 1512), two Working Keys (1532), two Rotation Values (1534),and the Clear Text data (1528). The two Working Pads each comes from oneof the two Nested Shuffle & Substitution Machineries (1502, 1504). Onemachinery (1502) takes as input two Source Pads A and B (1506, 1508),two Substitution Keys A and B (1514), and two sets of three Mixing Keys(1516, 1518). The other machinery (1504) takes as input two Source PadsC and D (1510, 1512), two Substitution Keys C and D (1520), and two setsof three Mixing Keys (1522, 1624). The Clear Text data (1528) cannotexceed half the length of a Source Pad, before requiring a new set ofWorking Keys and Rotation Values. For example, using four 16 MB SourcePads, a maximum of 8 MB of data can be encrypted before requiring afresh set of two Working Keys and two Rotation Values. So every 8 MBblock of encrypted data has a pair of Working Keys and a pair ofRotation Values associated with it. Every byte of Clear Text data istransformed out into a corresponding byte of Cipher Text data (1530), ina manner very similar to standard stream cipher behavior. The 1^(st)clear byte becomes the 1^(st) cipher byte, and the 2^(nd) clear bytebecomes the 2^(nd) cipher byte, and so forth, until the last clear bytebecomes the last cipher byte. However, unlike a normal stream cipher thebytes can be encrypted out of order, but regardless of order the n^(th)clear byte always becomes the n^(th) cipher byte.

Note that one of the properties of this Cipher is the ability to do“random access” encryption. For example to encipher the 5^(th) 8 MBblock of data then simply get the 5^(th) pair of Working Keys andoperate on it. Given an offset of a particular byte within the blockthen just encrypt that byte. The block can be smaller than 8 MB and thenencrypt that smaller amount. The cipher machinery does not require anypadding bytes to fill out a minimum block size like DES requires.

Note that another one of the properties of this Cipher is the ability todo “broadcast” encryption. For example several hosts can share the fourSource Pads. During normal communications each pair of communicationhosts will have a unique pair of Substitution Keys for each channelbetween a pair of hosts. However if one host broadcasts to the otherhosts, then for the broadcast all receiving hosts can use the sameSubstitution Keys. This works in a similar same way for a fully meshednetworking fabric of routers or switches.

Referring to FIG. 16, decryption is identical to encryption, except thatnow the Cipher Machinery (1626) takes as input two Working Pads, derivedfrom the four Source Pads (1606, 1608, 1610, 1612), two Working Keys(1632), two Rotation Values (1634), and the Cipher Text data (1628). Thetwo Working Pads each comes from one of the two Nested Shuffle &Substitution Machineries (1602, 1604). One machinery (1602) takes asinput two Source Pads A and B (1606, 1608), two Substitution Keys A andB (1614), and two sets of three Mixing Keys (1616, 1618). The othermachinery (1604) takes as input two Source Pads C and D (1610, 1612),two Substitution Keys C and D (1620), and two sets of three Mixing Keys(1622, 1624). The Cipher Text data (1628) cannot exceed half the lengthof a Source Pad, before requiring a new set of Working Keys (1632) andRotation Values (1634). For example, using four 16 MB Source Pads, amaximum of 8 MB of data can be encrypted before requiring a fresh set oftwo Working Keys and two Rotation Values. Every byte of Cipher Text datais transformed out into a corresponding byte of Clear Text data (1630),in a manner similar to normal stream cipher behavior.

FIG. 17 reveals an internal view of a half of an initial phase of theCipher Machinery. The Source Pad A of 16 megabytes (1702) is nestedshuffled (1710) with the three Mixing Keys A (1706) resulting in aShuffled Source Pad A of 16 megabytes (1714). Each byte of this is thenrandomly substituted for another byte using Substitution Table A (1718),which takes as input Substitution Key A (1722). The Source Pad B of 16megabytes (1704) is nested shuffled (1712) with the three Mixing Keys B(1708) resulting in a Shuffled Source Pad B of 16 megabytes (1716). Eachbyte of this is then randomly substituted for another byte usingSubstitution Table B (11720), which takes as input Substitution Key B(1724). XOR the two resulting pads from Substitution Tables A and Btogether (1726), byte-by-byte, and the result pads a 16-megabyte WorkingPad A (1728).

FIG. 18 reveals an internal view of another half of the initial phase ofthe Cipher Machinery. The Source Pad C of 16 megabytes (1802) is nestedshuffled (1810) with the three Mixing Keys C (1806) resulting in aShuffled Source Pad C of 16 megabytes (1814). Each byte of this is thenrandomly substituted for another byte using Substitution Table C (1818),which takes as input Substitution Key C (1822). The Source Pad D of 16megabytes (1804) is nested shuffled (1812) with the three Mixing Keys D(1808) resulting in a Shuffled Source Pad D of 16 megabytes (1816). Eachbyte of this is then randomly substituted for another byte usingSubstitution Table D (1820), which takes as input Substitution Key D(1824). XOR the two resulting pads from Substitution Tables D and Ctogether (1826), byte-by-byte, and the result is a 16-megabyte WorkingPad B (1828).

FIG. 19 reveals an internal view of the mechanics of a SubstitutionTable. Each byte of a Shuffled Source Pad (1902) is used as an indexinto a byte of a Substitution Key, which is also known as theSubstitution Table (1904). The indexed byte or new byte (1906) is thensubstituted for the old byte (1902). This is repeated for each byte ofthe Shuffled Source Pad.

FIG. 20 reveals an internal view of a final phase of the CipherMachinery. The Working Pad A (2002) is Rotated and then Simple Shuffled(2006), using a Working Key A (2010) and a Rotation Value A (2014), thenextract half of each of the Cards (2018), and the result is a 8-megabyteTemporary Pad A (2022). The Working Pad B (2004) is Rotated and thenSimple Shuffled (2008), using a Working Key B (2012) and a RotationValue B (2016), then extract half of each of the Cards (2020), and theresult is a 8-megabyte Temporary Pad B (2026). XOR the two resultingTemporary Pads (2022, 2026) together (2024), byte-by-byte, and theresult is a 8-megabyte Final Pad (2028). This Final Pad can then be usedto XOR (2030) with Clear Text Data (2032), byte by byte, resulting inCipher Text Data (2034), or it can be used to XOR (2036) with CipherText Data (2038), byte by byte, resulting in Clear Text Data (2040).

Referring to FIG. 21, the operation to nested shuffle a Source Pad A orB or C or D of 16 megabytes each utilizes three Mixing Seeds; a CaseSeed (2102), a Pack Seed (2104) and a Card Seed (2106), each having 256unique random numbers. The Source Pad is partitioned into 256 Cases(2108). The Cases (2108) are all shuffled together randomly (2110),using the Case Seed (2102) to determine the shuffle pattern, and resultsin a random sequence of Cases (2112). Each Case is further partitionedinto 256 Packs (2114). The Packs (2114) within each Case are shuffledtogether randomly (2116), using the Pack Seed (2104) to determine theshuffle pattern, and results in a random sequence of Packs (2118),identically shuffled per Case. Each Pack within each Case is furtherpartitioned into 256 Cards (2120) of one byte each. The Cards (2120)within each Pack are shuffled together randomly (2122), using the CardSeed (2106) to determine the shuffle pattern, and results in a randomsequence of Cards (2124), identically shuffled per Pack. These threelevels of shuffling, Level 1 (L1), Level 2 (L2) and Level 3 (L3), resultin a randomly shuffled Source Pad, which has (2⁵¹²)³ or 2¹⁵³⁶ randompermutations, i.e. entropy of 1536 bits.

Referring to FIG. 22, this illustrates the core operation of the cipher.First a Working Pad of 16-megabytes (2206) is randomly rotated by 4-byteintervals using the random Rotation Value (2204). Then the Working Padis sub-divided into 16384 Packs (2208) of which each is furthersub-divided into 256 Cards (2210) where a Card is 4 bytes in size. Usingthe Working Key (2202) we shuffle the Cards in the 1^(st) Pack (2212).This results in 256 randomly shuffled Cards in the first Pack (2214). Werepeat this from 2^(nd) to the last Pack in the Working Pad. Thisresults in a 16-megabyte Rotated and Shuffled Working Pad (2216).Finally we extract the first 128 Cards of each Pack (2218) and assemblethem into an 8-megabyte Temporary Pad (2220).

This shuffle can be done extremely fast since a typical Working Key andmany Source Pad Packs can be brought in the microprocessor's fastest L1cache. The Key stays in L1 cache, amortizing its load cost from DRAMover all the 16384 Packs. Further performance gains can be made bytaking advantage of multiple ALU pipelines in a CPU to process eitherlarger Cards or multiple Packs simultaneously.

The Source Pads are considered to be secret, known only to the Sender,the Receiver, and the Key & Pad Server. The only exception is forsupporting host broadcasting, when they are shared across all the hosts.The three levels of four sets of Mixing Keys, two sets of SubstitutionKeys, along with the four Source Pads, which themselves are periodicallychanged, interact to effectively keep the four Source Pads secret for aslong as possible. In the exceptional case of broadcast support, wherethe Source Pads are known, then the Substitution table should prevent anoffline precomputation attack.

A Keyed One-Way Hash

Referring to FIG. 23, a Keyed One-Way Hash function (2304) takes asinput a Data Buffer (2302), Encryption Pads (2310) from an EncryptionPool (2308), Rotation Vectors (2314) from a Rotation Pool (2312),Padding bytes (2318) from a Padding Pool (2316), and Pre-Hash LookupTable A (2320) and Pre-Hash Lookup Table B (2322). It outputs a MessageAuthentication Code or MAC Value (2306). All pools and tables come froma central Server or a Disk (2324). Mixing Keys for nested reshufflingall the pools and pool refreshes come from the Server or the Disk(2326). Mixing Keys for nested reshuffling the tables, and tablesrefresh come from the Server or the Disk (2328). The server is used toprovide online support, while the disk is used provide offline supportof a computer using the Keyed One-Way Hash. A disk would containeverything needed maintain offline secure communications, includingextra keys, pools, and tables.

Referring to FIG. 24, the core Compression Function (2404) of the KeyedOne-Way Hash, compresses an input array of 16 elements (2402), whereeach element is 4 bytes in size, resulting with an output of aCompressed Value (2406), which is 4 bytes in size. The compression ratiois 16:1. To prevent certain types of 2^(nd) pre-image attacks, aRotation Vector (2408) composed of random bits is extracted from aRotation Pool (2410), and is supplied to the Compression Function(2404). For each new use of the Compression Function a fresh RotationVector is extracted from the Rotation Pool. A Rotation Vector can neverbe reused. If no more Rotation Vectors can be extracted from theRotation Pool then it must be refreshed from the Server or Disk.

While the example above results in a four byte Compressed Value, whichis useful due to the limited space inside an IPv4 packet header, itcould also result in larger values such as 16 bytes, 20 bytes or 32bytes, by simply adjusting the compression ratio and the size of theArray of 4-byte Elements (2402). Also the size of each element in thearray (2402) can be adjusted, however normally for performance reasonsthe native integer size for arithmetic operations of the hostmicroprocessor should be selected.

Referring to FIG. 25, the mechanics of the compression function operatesuch that each 32-bit Element (2506) is rotated by a unique random 5bits (2504). For example if the 5 bits of the 1^(st) Rotate Value (2504)contained the random value 7, then the corresponding 1^(st) Element(2506) would have it's 32 bits shifted left by 7 bits, where theleftmost original 7 bits would be copied to first 7 bits of theresulting 32 bits. A similar operation could use a right shift instead.The rotation on an Intel CPU would typically use the ROL or ROR machineoperation for higher performance. These 5 bits come from the RotationVector (2502), and are log₂(32) bits in total, where 32 is the bit sizeof the 4-byte integer value to be rotated. The Rotation Vector is atotal of 80 bits, which is calculated from 5 bits times the compressedratio of 16, or 10 bytes. After the random rotation of each Element theyare XOR'd together (2508), 15 times, and the result is a four byteCompressed Value (2510).

Referring to FIG. 26, to compress a 64 Kilobyte data buffer (2602),divided into 16384 4-byte Elements, a 16:1 compression function (2604)can be used 1024 times, each with a ten byte Rotation Vector L1 (2606).The resulting 1024 4-byte Elements (2608) can be 16:1 compressed again(2610) 64 times, each with a ten byte Rotation Vector L2 (2612). Theresulting 64 4-byte Elements (2614) can be 16:1 compressed yet again(2616) 4 times, each with a ten byte Rotation Vector L3 (2618). Finallythe resulting four 4-byte Elements (2620) can be 4:1 compressed (2622),with a 2½ byte Rotation Vector L4 (2624), with a resulting final fourbyte Compressed Value (2626).

Referring to FIG. 27, to compress a 64 byte data buffer (2702), dividedinto sixteen 4-byte Elements, a 16:1 compression function (2704) can beused once, with a ten byte Rotation Vector L1 (2706), resulting with afinal four byte Compressed Value (2708).

Referring to FIG. 28, to compress a 1518 Byte data buffer (2802), it isfirst padded with 18 random bytes (2806), which come from the PaddingPool, resulting in 384 4-byte Elements (2808). A 16:1 compressionfunction (2810) can be used 24 times, with a ten byte Rotation Vector L1(2812). The resulting 24 4-byte Elements are padded with 32 random bytes(2814), which come from the Random Padding Pool, to end up with 324-byte Elements (2816). An 8:1 compression function (2818) can be usedfour times, with a five byte Rotation Vector L2 (2820). Finally theresulting four 4-byte Elements (2822) can be 4:1 compressed (2824), witha 2½ byte Rotation Vector L3 (2826), resulting with a four byteCompressed Value (2828).

Referring to FIG. 29, after calculating a Compression Value (2902), offour bytes, the Compression Value (2902) is split into Sub-CompressionValue A (2904) and Sub-Compression Value B (2906), each two bytes insize. Pre-Hash Look Up Table A (2908) is filled with 65536 entries, eachconsisting of a random four bytes from the PRNG. Likewise Pre-Hash LookUp Table B (2910) is filled with 65536 entries, each consisting of arandom four bytes from the Server's PRNG. The Sub-Compression Value A isthen used as an index into Pre-Hash Look Up Table A to extract a randomnumber, four bytes in size, a Pre-Hash Value A (2912). Likewise theSub-Compression Value B is then used as an index into Pre-Hash Look UpTable B to extract a random number, four bytes in size, a Pre-Hash ValueB (2916). They are then XOR'd together (2914) to create a Hash Value(2918). These series of operations are designed to prevent a 1^(st)pre-image attack working backwards from the Hash Value. To furtherprotect the Hash Value (2918), a four byte Encryption Pad (2924) isextracted from an Encryption Pool (2922) of 2 megabytes in size, whichis the total amount of hash data expected to be operated on over aperiod of time, and XOR'd with it (2920) to produce the four byte MACValue (2926). Each Encryption Pad (2924) is unique and can never bereused. If no more unique Encryption Pads can be extracted from theEncryption Pool then it is either refreshed from the Server's PRNG orfrom new PRNG bits stored on the Disk. If the stored PRNG bits areexhausted on the Disk then a new Disk must be manufactured by the DiskManufacturing Utility, using it's PRNG. The new Disk then replaces theold, exhausted Disk.

Another embodiment of the invention would take a Compression Value of 16bytes and divide it into eight sub-Compression Value's, which in turn isan index to eight separate Pre-Hash Look Up Tables of 65536 16-byterandom value entries. The resulting eight indices are XOR'd together toform the 16-byte Hash Value. This in turn is XOR'd with a 16-byteEncryption Pad and results in a 16-byte MAC Value.

Referring to FIG. 30, the operation to nested shuffle a Pre-Hash Look UpTables Source of 512 Kilobytes utilizes three Mixing Seeds; a Case Seed(3002), a Pack Seed (3004) and a Card Seed (3006), each having 64 uniquerandom numbers. The Pre-Hash Look Up Tables Source is partitioned into64 Cases (3008). The Cases (3008) are all shuffled together randomly(3010), using the Case Seed (3002) to determine the shuffle pattern, andresults in a random sequence of Cases (3012). Each Case is furtherpartitioned into 64 Packs (3014). The Packs (3014) within each Case areshuffled together randomly (3016), using the Pack Seed (3004) todetermine the shuffle pattern, and results in a random sequence of Packs(3018), identically shuffled per Case. Each Pack within each Case isfurther partitioned into 64 Cards (3020) of one byte each. The Cards(3020) within each Pack are shuffled together randomly (3022), using theCard Seed (3006) to determine the shuffle pattern, and results in arandom sequence of Cards (3024), identically shuffled per Pack. Thesethree levels of shuffling, Level 1 (L1), Level 2 (L2) and Level 3 (L3),result in a randomly shuffled Pre-Hash Look Up Tables Source, which has(2⁹²)³ or 2²⁷⁶ random permutations, i.e. entropy of 276 bits.

Referring to FIG. 31, the operation to nested shuffle a Encryption Poolof 512 Kilobytes utilizes three Mixing Seeds; a Case Seed (3102), a PackSeed (3104) and a Card Seed (3106), each having 64 unique randomnumbers. The Encryption Pool is partitioned into 64 Cases (3108). TheCases (3108) are all shuffled together randomly (3110), using the CaseSeed (3102) to determine the shuffle pattern, and results in a randomsequence of Cases (3112). Each Case is further partitioned into 64 Packs(3114). The Packs (3114) within each Case are shuffled together randomly(3116), using the Pack Seed (3104) to determine the shuffle pattern, andresults in a random sequence of Packs (3118), identically shuffled perCase. Each Pack within each Case is further partitioned into 64 Cards(3120) of one byte each. The Cards (3120) within each Pack are shuffledtogether randomly (3122), using the Card Seed (3106) to determine theshuffle pattern, and results in a random sequence of Cards (3124),identically shuffled per Pack. These three levels of shuffling, Level 1(L1), Level 2 (L2) and Level 3 (L3), result in a randomly shuffledEncryption Pool, which has (2⁹²)³ or 2²⁷⁶ random permutations, i.e.entropy of 276 bits.

Referring to FIG. 32, the operation to nested shuffle a Rotation Pool offour megabytes utilizes three Mixing Seeds; a Case Seed (3202), a PackSeed (3204) and a Card Seed (3206), each having 128 unique randomnumbers. The Rotation Pool is partitioned into 128 Cases (3208). TheCases (3208) are all shuffled together randomly (3210), using the CaseSeed (3202) to determine the shuffle pattern, and results in a randomsequence of Cases (3212). Each Case is further partitioned into 128Packs (3214). The Packs (3214) within each Case are shuffled togetherrandomly (3216), using the Pack Seed (3204) to determine the shufflepattern, and results in a random sequence of Packs (3218), identicallyshuffled per Case. Each Pack within each Case is further partitionedinto 128 Cards (3220) of one byte each. The Cards (3220) within eachPack are shuffled together randomly (3222), using the Card Seed (3206)to determine the shuffle pattern, and results in a random sequence ofCards (3224), identically shuffled per Pack. These three levels ofshuffling, Level 1 (L1), Level 2 (L2) and Level 3 (L3), result in arandomly shuffled to Rotation Pool, which has (2²²⁰)³ or 2⁶⁶⁰ randompermutations, i.e. entropy of 660 bits.

Referring to FIG. 33, the operation to nested shuffle a Random PaddingPool of 256 kilobytes utilizes three Mixing Seeds; a Case Seed (3302), aPack Seed (3304) and a Card Seed (3306), each having 64 unique randomnumbers. The Random Padding Pool is partitioned into 64 Cases (3308).The Cases (3308) are all shuffled together randomly (3310), using theCase Seed (3302) to determine the shuffle pattern, and results in arandom sequence of Cases (3312). Each Case is further partitioned into64 Packs (3314). The Packs (3314) within each Case are shuffled togetherrandomly (3316), using the Pack Seed (3304) to determine the shufflepattern, and results in a random sequence of Packs (3318), identicallyshuffled per Case. Each Pack within each Case is further partitionedinto 64 Cards (3320) of one byte each. The Cards (3320) within each Packare shuffled together randomly (3322), using the Card Seed (3306) todetermine the shuffle pattern, and results in a random sequence of Cards(3324), identically shuffled per Pack. These three levels of shuffling,Level 1 (L1), Level 2 (L2) and Level 3 (L3), result in a randomlyshuffled Random Padding Pool, which has (2⁹²)³ or 2²⁷⁶ randompermutations, i.e. entropy of 276 bits.

Referring to FIG. 34, these solid circle aid attached line drawingsdemonstrate the various ways computers (the solid circles) cancommunicate securely (the lines). A peer-to-peer connection (3402) showstwo computers communicating securely. A hub-and-spoke connection model(3404) shows how a server computer may communicate securely withoutlying client computers. A fully meshed network (3406) shows howpeers, such as optical switches, may communicate securely with any oneof the others directly. A broadcast network (3408) shows how a group ofcomputers may share a communications channel in order to securelycommunicate with one another.

The Non-Cyclic Pseudo-Random Number Generator

The non-cyclic pseudo-random number generator of this invention providesa secure and efficient mechanism for magnifying the output of a slowerhardware random number generator. It does so without introducing bias orpredictable number sequences. It generates the random bits in such amanner as to minimize the burden on the host computer and to take fulladvantage the performance capabilities of modern microprocessorarchitectures.

In addition, its overall strength is based on its secret buffers andseeds, not in the algorithm's complexity. This means that if any secretor seed is compromised wholly or partially the generator can be quicklyrepaired with a new secret or seed. If the generator is considered tooweak for whatever reason, then larger secrets and longer seeds can beintroduced swiftly and easily without requiring significant redesign orchanges to existing generator implementations in software or hardware,with the possible exception of additional memory.

The Vernam Stream Cipher

The Vernam stream cipher of this invention provides a secure andefficient mechanism for transmitting encrypted data between sender andreceiver computers. It does not introduce any extra bytes into theencrypted stream. It encrypts and decrypts in such a manner as tominimize the burden on the host computer and to take full advantage theperformance capabilities of modern microprocessor architectures.

In addition, its overall strength is based on its shared secret buffersand keys, not in the algorithm's complexity. This means that if anysecret or key is compromised wholly or partially the cipher can bequickly repaired with a new secret or key. If the cipher is consideredtoo weak for whatever reason, then larger secrets and longer keys can beintroduced swiftly and easily without requiring significant redesign orchanges to existing cipher implementations in software or hardware, withthe possible exception of additional memory.

Furthermore, the Vernam Stream Cipher has the additional advantages inthat

-   -   it can support a fully meshed network of N computers, involving        ½×(N²−N) encrypted connections;    -   it can support encrypted broadcasts to multiple computers        simultaneously;    -   it can be seamlessly integrated with the Keyed One-Way Hash.        The Keyed One-Way Hash

The Keyed One-Way Hash, or message authentication code (MAC), of thisinvention provides a highly secure and efficient mechanism fortransmitting a code authenticating the data sent between sender andreceiver computers. It compresses in such a manner as to minimize theburden on the host computer and to take full advantage the performancecapabilities of modern microprocessor architectures.

In addition, its overall strength is based on its shared secret buffers,tables and one-time pad, not in the algorithm's complexity. This meansthat if any secret, table or pad is compromised wholly or partially thekeyed one-way hash can be quickly repaired with a new secret, table orpad. If the hash is considered too weak for whatever reason, then largersecrets, tables and pad can be introduced swiftly and easily withoutrequiring significant redesign or changes to existing cipherimplementations in software or hardware, with the possible exception ofadditional memory.

Furthermore, the Keyed One-Way Hash has the additional advantages inthat

-   -   it can support a fully meshed network of N computers, involving        ½×(N²−N) encrypted connections;    -   it can support encrypted broadcasts to multiple computers;    -   it can be seamlessly integrated with a Vernam Stream Cipher.

The foregoing descriptions of specific embodiments of the invention havebeen presented for purposes of illustration and description. They arenot intended to be exhaustive or to limit the invention to the preciseembodiments disclosed, and naturally many modifications and variationsare possible in light of the above teaching. The embodiments were chosenand described in order to explain the principles of the invention andits practical application, to thereby enable others skilled in the artto best utilize the invention and various embodiments with variousmodifications as are suited to the particular use contemplated. It isintended that the scope of the invention be defined by the Claimsappended hereto and their equivalents.

1-23. (canceled)
 24. An apparatus for generating a keyed one-way hashvalue comprising: a. a rotation pool for providing a plurality ofrotation vectors, each of the plurality of rotation vectors consistingof a series of random rotation values; b. a plurality of lookup tablescontaining random values in a table entry; c. a compression functionconfigured to receive a block of message data, a rotation vectorcontaining the series of random rotation values, a plurality of paddingvalues, and outputs a final compression value; and d. a mechanismconnected to the plurality of look-up tables configured to substitute arandom hash value for the final compression value.
 25. The apparatusaccording to claim 24 further comprising an encryption pool forproviding encryption pads.
 26. The apparatus according to claim 25further comprising a one time pad encipherment of the hash value using apad extracted in a unique manner from the encryption pool, resulting ina message authentication code value.
 27. The apparatus according toclaim 24 further comprising a padding pool for providing random paddingvalues.
 28. The apparatus according to claim 27 further comprising aplurality of random padding values.
 29. The apparatus according to claim24 further comprising a tree construction of multiple, cascadedcompression functions, which input multiple message blocks and outputsthe final compression value.